Bypassing Windows authentication reflection mitigations for ...#2187
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Bypassing Windows authentication reflection mitigations for ...#2187carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part.html Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Active Directory Methodology (new page under Kerberos Authentication or NTLM/Relay area): "Kerberos reflection/relay via Unicode normalization (LCMapStringEx/NTDS SPN collisions)"; cross-link from "Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks" and Kerberos sections". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title / context
Synacktiv (Part 2) develops a novel Kerberos authentication coercion primitive that bypassed Microsoft’s post-CVE-2025-33073 “authentication reflection” mitigations. The core bug class is Unicode normalization inconsistencies across Windows components: some pieces consider two strings “equivalent” (or generate colliding database search keys), while others treat them as different—allowing Kerberos reflection/relay that yields RCE as NT AUT...
🔧 Technical Details
DnsCacheissues a DNS request), yet (b) collides with the victim’s real SPN during DC lookup because NTDS/ESE search keys are derived fromLCMapStringEx(LCMAP_SORTKEY, flags=0x31403). Use Unicode lookalikes (e.g., replaceRwithâ��, bytes24 C7) and Unicode dot equivalents (e.g.,â�¤, bytes20 24) to build names likeSâ��V1â�¤ADâ�¤LOCAL. Register the name in DNS (via LDAP), coerce Kerberos auth (e.g., PetitPotam), capture the AP-REQ on a relay server, and relay it back to a service on the victim. A relay implementation may require relaxing strict string matching (patchingkrbrelayx.py) because the received SPN may contain Unicode characters.2) Handling DNS re...
🤖 Agent Actions
I’m mapping the existing Windows AD and relay content first, then I’ll read the closest pages to determine whether this belongs in an existing NTLM/Kerberos relay file or needs a new page.
I’ve narrowed it to the AD methodology and relay sections. Next I’m reading the existing Kerberos, DNS, relay, ADCS, and SCCM pages to avoid duplicating material and to pick a single target file.
I’ve confirmed the closest fit is the existing Kerberos relay section in the relay methodology page, not a new AD page. I’m doing one quick external check for canonical source URLs before writing the update.
I’ve verified the technique is missing and I’m adding it to the existing Kerberos relay section as a focused subsection. The update will cover the Unicode normalization primitive, DNS/SPN collision constraints, the local-forwarder LPE variant, and the non-SMB relay targets that still matter.
The content is in place. I found the Synacktiv reference URL I first inserted was wrong, so I’m correcting that and then I’ll do a final diff/readback check.
Updated spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md in the existing
Kerberos Relay attacksection instead of creating a new page.The new subsection documents the Unicode-normalization Kerberos reflection primitive from Synacktiv: how
CompareStringWandLCMapStringEx(..., 0x31403)disagree, why ADIDNS uniqueness checks constrain hostname-only variants, how the FQDN-based collision is used for coercion and relay, how the SMB mitigation changed it into a local-forwarder LPE path, and why AD CS / SCCM AdminService remain relevant non-SMB targets. I also added the required references at the end of the file, including the Synacktiv article and the Microsoft docs forLCMapStringExandCompareStringW.Verification: I re-read the modified section, checked the git diff, confirmed the references section is still at the end of the file, and validated the Synacktiv URL returns
HTTP 200.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.